New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 684787 link

Starred by 1 user
Status: WontFix
Merged: issue 680513
Owner:
sgu...@chromium.org
Last visit > 30 days ago
Closed: Jan 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug



Sign in to add a comment

Webview throws onReceivedSslError for Android 7.0 even if self signed CA is installed to trust store.

Reported by kavithac...@gmail.com, Jan 24 2017 
THIS TEMPLATE IS FOR FILING BUGS ON THE ANDROID SYSTEM WEBVIEW. GENERAL WEB
BUGS SHOULD BE FILED USING A DIFFERENT TEMPLATE!

Device name: Nexus 6P and Pixel XL
Android version: 7.1.1
WebView version (from system settings -> Apps -> Android System WebView):
Android System WebView is disabled on both device. Check playstore and i see Android System WebView is disabled and we option to enable it , but nothing happens when we click on enable.

URLs (if applicable):
Any url where server cert is self signed. We used some internal server.


Steps to reproduce:
(1)
Open the url in chrome, we see user is prompted that security cert is not trusted 
Open url in webview - onReceivedSslError is called 

(2)
Now install CA to trust store

(3)
Open the url in chrome, no warning displayed.
But webview still throws onReceivedSslError

Expected result:
Webview should be able to load url without any issue.

Actual result:
Webview throws onReceivedSslError even if CA is installed

Other Version :
Tested on Android 6.0 and works as expected.  Once CA is installed webview does not throw onReceivedSslError

Comment 1 by paulmiller@chromium.org, Jan 24 2017

Mergedinto: 680513
Status: Duplicate (was: Unconfirmed)
https://www.chromium.org/developers/androidwebview/webview-ct-bug

In short: on Android N, you need to update Chrome, not WebView.

Comment 2 by paulmiller@chromium.org, Jan 24 2017

Owner: sgu...@chromium.org
Status: Unconfirmed (was: Duplicate)
whoops, sorry, ignore that ^

Comment 3 by kavithac...@gmail.com, Jan 24 2017 

Chrome version : 55.0.2883.91 its latest from playstore. Issue is not about Android System WebView, i do know Android N we need chrome (I don't think it is duplicate of 680513), issue is about ssl error.

Comment 4 by torne@chromium.org, Jan 25 2017 

Have you checked the actual URL you're getting in onReceivedSslError? One difference between Chrome and WebView's handling of SSL errors is that Chrome only displays an interstitial if the top-level page has an SSL error; if a subresource (image, iframe, etc) has an SSL error, that subresource is simply not loaded but the rest of the page can be used. WebView calls onReceivedSslError for *all* SSL errors, even for subresources.

So, one possibility is that the HTTPS page you're using is fine, but it embeds a subresource from another HTTPS server whose certificate is bad.

Comment 5 by kavithac...@gmail.com, Jan 25 2017 

@Torne: I tested, it seems fail at the top-level page. As mentioned above it works on android 6.0 but not 7.1.1.

Comment 6 by sgu...@chromium.org, Jan 25 2017 

any logs from webview?
any repro app (with the source code) I can try and play with? or any page that I can access and try?

without these it is hard for us to help.

Comment 7 by sgu...@chromium.org, Jan 25 2017 

A couple more suggestions:

Make sure you read and understand the platform specific changes we made in N. See this page: https://developer.android.com/training/articles/security-config.html#CustomTrust

"By default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default. An app can customize its own connections using base-config (for app-wide customization) or domain-config (for per-domain customization)."

Comment 8 by kavithac...@gmail.com, Jan 25 2017 

Ok i have attached a sample app which would help reproduce the issue.

The app, has loadurl button and hits the below server 
https://anilcerttest.cloudapp.net/certtest/home

Step 1: Launch the sample app on Android 6.0 device and Android 7.1.1 device.
Hit Load url, nothing happens and webview remain blank since ssl error is thrown 
Which is expected.

Step 2: Install cert (part of the attachment) on both device.

Step 3: Hit Load Url button again 
On android 6.0 device : you would see webview is updated 
Text displayed is : Cert Tester No certificate from client
This is expected behavior (ignore the text, server checks if client provided cert)

On android 7.1.1 device: we still receive ssl error and webview is blank.
Sampleapp.zip
8.8 MB Download

Comment 9 by sgu...@chromium.org, Jan 26 2017

Labels: -Pri-3 Pri-2
Thanks for the repro case, I will look at it.

Comment 10 by sgu...@chromium.org, Jan 26 2017 

did you read my comments in #7 by the way? Did you try it in your application?

Comment 11 by sgu...@chromium.org, Jan 26 2017 

In particular, try this, if you want to trust user certs, but it is better to customize the cert you trust only to the one you add.

<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="user"/>
            <certificates src="system"/>
        </trust-anchors>
    </base-config>
</network-security-config>

Comment 12 by kavithac...@gmail.com, Jan 26 2017 

Got it, i see the when app target version was set to 24 user installed CA is not considered, adding the above xml fixed the issue. Thanks.

Comment 13 by sgu...@chromium.org, Jan 26 2017

Status: WontFix (was: Unconfirmed)

Sign in to add a comment